Add usedforsecurity=False flag to md5 hashes (#7049)

Co-authored-by: Ezra Odio <[email protected]> Co-authored-by: Justin Clift <[email protected]>
getredash · Jul 11, 2024 · d9282b2 · d9282b2
1 parent 28c3921
commit d9282b2
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/redash/models/users.py b/redash/models/users.py
@@ -166,7 +166,7 @@ def profile_image_url(self):
         if self._profile_image_url:
             return self._profile_image_url
 
-        email_md5 = hashlib.md5(self.email.lower().encode()).hexdigest()
+        email_md5 = hashlib.md5(self.email.lower().encode(), usedforsecurity=False).hexdigest()
         return "https://www.gravatar.com/avatar/{}?s=40&d=identicon".format(email_md5)
 
     @property
@@ -233,7 +233,9 @@ def has_access(self, obj, access_type):
         return AccessPermission.exists(obj, access_type, grantee=self)
 
     def get_id(self):
-        identity = hashlib.md5("{},{}".format(self.email, self.password_hash).encode()).hexdigest()
+        identity = hashlib.md5(
+            "{},{}".format(self.email, self.password_hash).encode(), usedforsecurity=False
+        ).hexdigest()
         return "{0}-{1}".format(self.id, identity)
 
     def get_actual_user(self):

diff --git a/redash/query_runner/query_results.py b/redash/query_runner/query_results.py
@@ -90,7 +90,9 @@ def create_tables_from_query_ids(user, connection, query_ids, query_params, cach
 
     for query in set(query_params):
         results = get_query_results(user, query[0], False, query[1])
-        table_hash = hashlib.md5("query_{query}_{hash}".format(query=query[0], hash=query[1]).encode()).hexdigest()
+        table_hash = hashlib.md5(
+            "query_{query}_{hash}".format(query=query[0], hash=query[1]).encode(), usedforsecurity=False
+        ).hexdigest()
         table_name = "query_{query_id}_{param_hash}".format(query_id=query[0], param_hash=table_hash)
         create_table(connection, table_name, results)
 
@@ -142,7 +144,9 @@ def create_table(connection, table_name, query_results):
 
 def prepare_parameterized_query(query, query_params):
     for params in query_params:
-        table_hash = hashlib.md5("query_{query}_{hash}".format(query=params[0], hash=params[1]).encode()).hexdigest()
+        table_hash = hashlib.md5(
+            "query_{query}_{hash}".format(query=params[0], hash=params[1]).encode(), usedforsecurity=False
+        ).hexdigest()
         key = "param_query_{query_id}_{{{param_string}}}".format(query_id=params[0], param_string=params[1])
         value = "query_{query_id}_{param_hash}".format(query_id=params[0], param_hash=table_hash)
         query = query.replace(key, value)

diff --git a/redash/utils/__init__.py b/redash/utils/__init__.py
@@ -60,7 +60,7 @@ def gen_query_hash(sql):
     """
     sql = COMMENTS_REGEX.sub("", sql)
     sql = "".join(sql.split())
-    return hashlib.md5(sql.encode("utf-8")).hexdigest()
+    return hashlib.md5(sql.encode("utf-8"), usedforsecurity=False).hexdigest()
 
 
 def generate_token(length):